HP Threat Research Blog SVCReady: A New Loader Gets Ready

June 6, 2022 Category: Threat Research By: Patrick Schläpfer Comments: 0

SVCReady: A New Loader Gets Ready

Since the end of April 2022, we have observed new malicious spam campaigns spreading a previously unknown malware family called SVCReady. The malware is notable for the unusual way it is delivered to target PCs – using shellcode hidden in the properties of Microsoft Office documents – and because it is likely in an early stage of development, given that its authors updated the malware several times in May. In this report, we share a closer look at the infection chain of the new SVCReady campaigns, the malware’s features, its changes over time, and possible links with TA551.

Figure 1 – SVCReady sample isolated by HP Wolf Security in April 2022.

Infection Chain

Based on HP Wolf Security telemetry, the first sighting of this new campaign was on 22 April 2022. The attackers sent Microsoft Word document (.doc) attachments to targets via email. As in many other malware campaigns, the documents contain Visual Basic for Applications (VBA) AutoOpen macros that are used to execute malicious code. But unlike other Office malware, the document does not use PowerShell or MSHTA to download further payloads from the web. Instead, the VBA macro runs shellcode stored in the properties of the document, which then drops and runs SVCReady malware.